From 8172307fe10a9231df33c68daa6b50352e0a62dd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan-Otto=20Kr=C3=B6pke?= <joe@adorsys.de>
Date: Fri, 19 Feb 2021 18:43:50 +0100
Subject: [PATCH] Add driver-args

---
 CHANGELOG.md              |   9 ++-
 README.md                 |  48 ++++++++++----
 contrib/drivers/gopass.sh |  10 ++-
 scripts/commands/helm.sh  |   4 --
 scripts/commands/help.sh  |   7 ++-
 scripts/drivers/sops.sh   |  16 +++--
 scripts/drivers/vault.sh  |  10 ++-
 scripts/run.sh            |   7 +++
 tests/unit/dec.bats       |  98 +++++++++++++++++++++++++++++
 tests/unit/lint.bats      | 128 ++++++++++++++++++++++++++++++++++++++
 tests/unit/template.bats  | 128 ++++++++++++++++++++++++++++++++++++++
 tests/unit/view.bats      |  92 +++++++++++++++++++++++++++
 12 files changed, 528 insertions(+), 29 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 6b834ce2..d882ad14 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -8,7 +8,10 @@ Allow override sops version on installation
 
 ## [Unreleased]
 
-## [3.4.3] - 2021-02-19
+## [3.5.0] - 2021-02-20
+
+### Added
+- Added `--driver-args` to pass additional argument to underlying commands (https://github.com/jkroepke/helm-secrets/pull/82)
 
 ### Fixes
 - "grep: Invalid range end" if locale is not C (https://github.com/jkroepke/helm-secrets/pull/81)
@@ -103,8 +106,8 @@ Started a fork of https://github.com/zendesk/helm-secrets
 - Support all helm sub commands and plugins
 
 
-[Unreleased]: https://github.com/jkroepke/helm-secrets/compare/v3.4.3...HEAD
-[3.4.3]: https://github.com/jkroepke/helm-secrets/compare/v3.4.2...v3.4.3
+[Unreleased]: https://github.com/jkroepke/helm-secrets/compare/v3.5.0...HEAD
+[3.5.0]: https://github.com/jkroepke/helm-secrets/compare/v3.4.2...v3.5.0
 [3.4.2]: https://github.com/jkroepke/helm-secrets/compare/v3.4.1...v3.4.2
 [3.4.1]: https://github.com/jkroepke/helm-secrets/compare/v3.4.0...v3.4.1
 [3.4.0]: https://github.com/jkroepke/helm-secrets/compare/v3.3.5...v3.4.0
diff --git a/README.md b/README.md
index 2fb7fefa..93b1dd7d 100644
--- a/README.md
+++ b/README.md
@@ -21,6 +21,7 @@ In meanwhile, this project is officially listed on the [community projects side]
 ### Decrypt secrets via plugin command
 
 Wraps the whole helm command. Slow on multiple value files.
+
 ```
 helm secrets upgrade name . -f secrets.yaml
 ```
@@ -28,6 +29,7 @@ helm secrets upgrade name . -f secrets.yaml
 ### Decrypt secrets via protocol handler
 
 Run decrypted command on specific value files.
+
 ```
 helm upgrade name . -f secrets://secrets.yaml
 ```
@@ -95,7 +97,7 @@ By default, helm plugin install does this for you.
 
 ```bash
 # Install a specific version (recommend)
-helm plugin install https://github.com/jkroepke/helm-secrets --version v3.4.0
+helm plugin install https://github.com/jkroepke/helm-secrets --version v3.5.0
 
 # Install latest unstable version from main branch
 helm plugin install https://github.com/jkroepke/helm-secrets
@@ -119,10 +121,10 @@ curl -LsSf https://github.com/jkroepke/helm-secrets/releases/latest/download/hel
 
 ```bash
 # Windows (inside cmd, needs to be verified)
-curl -LsSf https://github.com/jkroepke/helm-secrets/releases/download/v3.4.0/helm-secrets.tar.gz | tar -C "%APPDATA%\helm\plugins" -xzf-
+curl -LsSf https://github.com/jkroepke/helm-secrets/releases/download/v3.5.0/helm-secrets.tar.gz | tar -C "%APPDATA%\helm\plugins" -xzf-
 
 # MacOS / Linux
-curl -LsSf https://github.com/jkroepke/helm-secrets/releases/download/v3.4.0/helm-secrets.tar.gz | tar -C "$(helm env HELM_PLUGINS)" -xzf-
+curl -LsSf https://github.com/jkroepke/helm-secrets/releases/download/v3.5.0/helm-secrets.tar.gz | tar -C "$(helm env HELM_PLUGINS)" -xzf-
 ```
 
 ### Installation on Helm 2
@@ -130,6 +132,7 @@ curl -LsSf https://github.com/jkroepke/helm-secrets/releases/download/v3.4.0/hel
 Helm 2 doesn't support downloader plugins. Since unknown keys in `plugin.yaml` are fatal, then plugin installation need special handling.
 
 Error on Helm 2 installation:
+
 ```
 # helm plugin install https://github.com/jkroepke/helm-secrets
 Error: yaml: unmarshal errors:
@@ -170,11 +173,32 @@ Pull Requests are much appreciated.
 
 The driver option is a global one. A file level switch isn't supported yet.
 
+## Pass additional arguments to secret driver
+
+```bash
+helm secrets -a "--verbose" view ./tests/assets/helm_vars/secrets.yaml
+```
+
+results into:
+
+```
+[PGP]    INFO[0000] Decryption succeeded                          fingerprint=D6174A02027050E59C711075B430C4E58E2BBBA3
+[SOPS]   INFO[0000] Data key recovered successfully
+[SOPS]   DEBU[0000] Decrypting tree
+[helm-secrets] Decrypt: tests/assets/values/sops/secrets.yaml
+==> Linting examples/sops
+[INFO] Chart.yaml: icon is recommended
+
+1 chart(s) linted, 0 chart(s) failed
+
+[helm-secrets] Removed: tests/assets/values/sops/secrets.yaml.dec
+```
+
 ## Main features
 
 The current version of this plugin using [mozilla/sops](https://github.com/mozilla/sops/) by default as backend.
 
-[Hashicorp Vault](http://vaultproject.io/) is supported as secret source since v3.2.0, too. In addition, [sops support vault since v3.6.0 natively](https://github.com/mozilla/sops#encrypting-using-hashicorp-vault). 
+[Hashicorp Vault](http://vaultproject.io/) is supported as secret source since v3.2.0, too. In addition, [sops support vault since v3.6.0 natively](https://github.com/mozilla/sops#encrypting-using-hashicorp-vault).
 
 What kind of problems this plugin solves:
 
@@ -197,14 +221,14 @@ An additional documentation, resources and examples can be found [here](USAGE.md
 
 ## Moving parts of project
 
-* [`scripts/install.sh`](scripts/install.sh) - Script used as the hook to download and install sops and install git diff configuration for helm-secrets files.
-* [`scripts/run.sh`](scripts/run.sh) - Main helm-secrets plugin code for all helm-secrets plugin actions available in `helm secrets help` after plugin install
-* [`scripts/drivers`](scripts/drivers) - Location of the in-tree secrets drivers
-* [`scripts/commands`](scripts/commands) - Sub Commands of `helm secrets` are defined here.
-* [`scripts/lib`](scripts/lib) - Common functions used by `helm secrets`.
-* [`scripts/wrapper`](scripts/wrapper) - Wrapper scripts for Windows systems.
-* [`tests`](tests) - Test scripts to check if all parts of the plugin work. Using test assets with PGP keys to make real tests on real data with real encryption/decryption. See [`tests/README.md`](tests/README.md) for more informations.
-* [`examples`](examples) - Some example secrets.yaml 
+- [`scripts/install.sh`](scripts/install.sh) - Script used as the hook to download and install sops and install git diff configuration for helm-secrets files.
+- [`scripts/run.sh`](scripts/run.sh) - Main helm-secrets plugin code for all helm-secrets plugin actions available in `helm secrets help` after plugin install
+- [`scripts/drivers`](scripts/drivers) - Location of the in-tree secrets drivers
+- [`scripts/commands`](scripts/commands) - Sub Commands of `helm secrets` are defined here.
+- [`scripts/lib`](scripts/lib) - Common functions used by `helm secrets`.
+- [`scripts/wrapper`](scripts/wrapper) - Wrapper scripts for Windows systems.
+- [`tests`](tests) - Test scripts to check if all parts of the plugin work. Using test assets with PGP keys to make real tests on real data with real encryption/decryption. See [`tests/README.md`](tests/README.md) for more informations.
+- [`examples`](examples) - Some example secrets.yaml
 
 ## Copyright and license
 
diff --git a/contrib/drivers/gopass.sh b/contrib/drivers/gopass.sh
index 79f9f561..6bb33eb2 100644
--- a/contrib/drivers/gopass.sh
+++ b/contrib/drivers/gopass.sh
@@ -6,6 +6,12 @@ _DRIVER_REGEX='!gopass [A-Za-z0-9\-\_\/]*'
 # shellcheck source=scripts//drivers/_custom.sh
 . "${SCRIPT_DIR}/drivers/_custom.sh"
 
+_gopass() {
+    # shellcheck disable=SC2086
+    set -- ${SECRET_DRIVER_ARGS} "$@"
+    gopass "$@"
+}
+
 _custom_driver_get_secret() {
     _type=$1
     _SECRET=$2
@@ -15,9 +21,9 @@ _custom_driver_get_secret() {
         exit 1
     fi
 
-    if ! gopass show -o "${_SECRET}"; then
+    if ! _gopass show -o "${_SECRET}"; then
         echo "Error while get secret from gopass!" >&2
-        echo gopass show -o "${_SECRET}" >&2
+        echo gopass show -o "${_SECRET}" "${SECRET_DRIVER_ARGS}" >&2
         exit 1
     fi
 }
diff --git a/scripts/commands/helm.sh b/scripts/commands/helm.sh
index b76215a2..f3d9d0b1 100644
--- a/scripts/commands/helm.sh
+++ b/scripts/commands/helm.sh
@@ -107,10 +107,6 @@ helm_wrapper() {
         j=$((j + 1))
     done
 
-    if [ "${QUIET}" = "false" ]; then
-        echo >&2
-    fi
-
     "${HELM_BIN}" ${TILLER_HOST:+--host "$TILLER_HOST"} "$@"
 }
 
diff --git a/scripts/commands/help.sh b/scripts/commands/help.sh
index d019f582..de00c4e3 100644
--- a/scripts/commands/help.sh
+++ b/scripts/commands/help.sh
@@ -3,7 +3,7 @@
 set -euf
 
 help_usage() {
-    cat <<EOF
+    cat <<'EOF'
 Secrets encryption in Helm Charts
 
 This plugin provides ability to encrypt/decrypt secrets files
@@ -24,5 +24,10 @@ Available Commands:
   dir     Get plugin directory
   <cmd>   wrapper that decrypts encrypted yaml files before running helm <cmd>
 
+Available Options:
+  --quiet       -q  Suppress info messages (env: $HELM_SECRETS_QUIET)
+  --driver      -d  Secret driver to use for decryption or encryption (env: $HELM_SECRETS_DRIVER)
+  --driver-args -a  Additional args for secret driver (env: $HELM_SECRETS_DRIVER_ARGS)
+  --help        -h  Show help
 EOF
 }
diff --git a/scripts/drivers/sops.sh b/scripts/drivers/sops.sh
index 6a1bc619..91c611e7 100644
--- a/scripts/drivers/sops.sh
+++ b/scripts/drivers/sops.sh
@@ -2,6 +2,12 @@
 
 _SOPS="${HELM_SECRETS_SOPS_BIN:-sops}"
 
+_sops() {
+    # shellcheck disable=SC2086
+    set -- ${SECRET_DRIVER_ARGS} "$@"
+    $_SOPS "$@"
+}
+
 driver_is_file_encrypted() {
     input="${1}"
 
@@ -14,9 +20,9 @@ driver_encrypt_file() {
     output="${3}"
 
     if [ "${input}" = "${output}" ]; then
-        $_SOPS --encrypt --input-type "${type}" --output-type "${type}" --in-place "${input}"
+        _sops --encrypt --input-type "${type}" --output-type "${type}" --in-place "${input}"
     else
-        $_SOPS --encrypt --input-type "${type}" --output-type "${type}" --output "${output}" "${input}"
+        _sops --encrypt --input-type "${type}" --output-type "${type}" --output "${output}" "${input}"
     fi
 }
 
@@ -27,9 +33,9 @@ driver_decrypt_file() {
     output="${3:-}"
 
     if [ "${output}" != "" ]; then
-        $_SOPS --decrypt --input-type "${type}" --output-type "${type}" --output "${output}" "${input}"
+        _sops --decrypt --input-type "${type}" --output-type "${type}" --output "${output}" "${input}"
     else
-        $_SOPS --decrypt --input-type "${type}" --output-type "${type}" "${input}"
+        _sops --decrypt --input-type "${type}" --output-type "${type}" "${input}"
     fi
 }
 
@@ -37,5 +43,5 @@ driver_edit_file() {
     type="${1}"
     input="${2}"
 
-    $_SOPS --input-type yaml --output-type yaml "${input}"
+    _sops --input-type yaml --output-type yaml "${input}"
 }
diff --git a/scripts/drivers/vault.sh b/scripts/drivers/vault.sh
index f0dbd5c9..ab48133a 100644
--- a/scripts/drivers/vault.sh
+++ b/scripts/drivers/vault.sh
@@ -6,6 +6,12 @@ _DRIVER_REGEX='!vault [A-z0-9][A-z0-9/\-]*\#[A-z0-9][A-z0-9-]*'
 # shellcheck source=scripts/drivers/_custom.sh
 . "${SCRIPT_DIR}/drivers/_custom.sh"
 
+_vault() {
+    # shellcheck disable=SC2086
+    set -- ${SECRET_DRIVER_ARGS} "$@"
+    vault "$@"
+}
+
 _custom_driver_get_secret() {
     _type=$1
     _SECRET_PATH="${2%#*}"
@@ -16,9 +22,9 @@ _custom_driver_get_secret() {
         exit 1
     fi
 
-    if ! vault kv get -format="${_type}" -field="${_SECRET_FIELD}" "${_SECRET_PATH}"; then
+    if ! _vault kv get -format="${_type}" -field="${_SECRET_FIELD}" "${_SECRET_PATH}"; then
         echo "Error while get secret from vault!" >&2
-        echo vault kv get -format="${_type}" -field="${_SECRET_FIELD}" "${_SECRET_PATH}" >&2
+        echo vault kv get -format="${_type}" -field="${_SECRET_FIELD}" "${_SECRET_PATH}" "${SECRET_DRIVER_ARGS}" >&2
         exit 1
     fi
 }
diff --git a/scripts/run.sh b/scripts/run.sh
index 02eca406..3ecc7c26 100755
--- a/scripts/run.sh
+++ b/scripts/run.sh
@@ -13,6 +13,8 @@ QUIET="${HELM_SECRETS_QUIET:-false}"
 
 # Define the secret driver engine
 SECRET_DRIVER="${HELM_SECRETS_DRIVER:-sops}"
+# Define the secret driver engine
+SECRET_DRIVER_ARGS="${HELM_SECRETS_DRIVER_ARGS:-}"
 
 # The suffix to use for decrypted files. The default can be overridden using
 # the HELM_SECRETS_DEC_SUFFIX environment variable.
@@ -122,6 +124,11 @@ while true; do
         # shellcheck disable=SC2034
         QUIET=true
         ;;
+    --driver-args | -a)
+        # shellcheck disable=SC2034
+        SECRET_DRIVER_ARGS="$2"
+        shift
+        ;;
     "")
         # shellcheck source=scripts/commands/help.sh
         . "${SCRIPT_DIR}/commands/help.sh"
diff --git a/tests/unit/dec.bats b/tests/unit/dec.bats
index d3c05f94..4b90cb5a 100755
--- a/tests/unit/dec.bats
+++ b/tests/unit/dec.bats
@@ -133,3 +133,101 @@ load '../bats/extensions/bats-file/load'
     assert_success
     assert_output "[helm-secrets] Decrypting ${FILE}"
 }
+
+@test "dec: secrets.yaml + --driver-args (simple)" {
+    if ! is_driver_sops; then
+        skip
+    fi
+
+    FILE="${TEST_TEMP_DIR}/values/${HELM_SECRETS_DRIVER}/secrets.yaml"
+
+    run helm secrets --driver-args "--verbose" dec "${FILE}"
+    assert_success
+    assert_output --partial "Data key recovered successfully"
+    assert_file_exist "${FILE}.dec"
+    assert_file_contains "${FILE}.dec" 'global_secret: '
+    assert_file_contains "${FILE}.dec" 'global_bar'
+}
+
+@test "dec: secrets.yaml + -a (simple)" {
+    if ! is_driver_sops; then
+        skip
+    fi
+
+    FILE="${TEST_TEMP_DIR}/values/${HELM_SECRETS_DRIVER}/secrets.yaml"
+
+    run helm secrets -a "--verbose" dec "${FILE}"
+    assert_success
+    assert_output --partial "Data key recovered successfully"
+    assert_file_exist "${FILE}.dec"
+    assert_file_contains "${FILE}.dec" 'global_secret: '
+    assert_file_contains "${FILE}.dec" 'global_bar'
+}
+
+@test "dec: secrets.yaml + HELM_SECRETS_DRIVER_ARGS (simple)" {
+    if ! is_driver_sops; then
+        skip
+    fi
+
+    FILE="${TEST_TEMP_DIR}/values/${HELM_SECRETS_DRIVER}/secrets.yaml"
+
+    HELM_SECRETS_DRIVER_ARGS=--verbose
+    export HELM_SECRETS_DRIVER_ARGS
+
+    run helm secrets dec "${FILE}"
+    assert_success
+    assert_output --partial "Data key recovered successfully"
+    assert_file_exist "${FILE}.dec"
+    assert_file_contains "${FILE}.dec" 'global_secret: '
+    assert_file_contains "${FILE}.dec" 'global_bar'
+}
+
+@test "dec: secrets.yaml + --driver-args (complex)" {
+    if ! is_driver_sops; then
+        skip
+    fi
+
+    FILE="${TEST_TEMP_DIR}/values/${HELM_SECRETS_DRIVER}/secrets.yaml"
+
+    run helm secrets --driver-args "--verbose --output-type \"yaml\"" dec "${FILE}"
+    assert_success
+    assert_output --partial "Data key recovered successfully"
+    assert_file_exist "${FILE}.dec"
+    assert_file_contains "${FILE}.dec" 'global_secret: '
+    assert_file_contains "${FILE}.dec" 'global_bar'
+}
+
+@test "dec: secrets.yaml + -a (complex)" {
+    if ! is_driver_sops; then
+        skip
+    fi
+
+    FILE="${TEST_TEMP_DIR}/values/${HELM_SECRETS_DRIVER}/secrets.yaml"
+
+    run helm secrets -a "--verbose --output-type \"yaml\"" dec "${FILE}"
+    assert_success
+    assert_output --partial "Data key recovered successfully"
+    assert_file_exist "${FILE}.dec"
+    assert_file_contains "${FILE}.dec"  'global_secret: '
+    assert_file_contains "${FILE}.dec"  'global_bar'
+}
+
+@test "dec: secrets.yaml + HELM_SECRETS_DRIVER_ARGS (complex)" {
+    if ! is_driver_sops; then
+        skip
+    fi
+
+    FILE="${TEST_TEMP_DIR}/values/${HELM_SECRETS_DRIVER}/secrets.yaml"
+
+    # shellcheck disable=SC2089
+    HELM_SECRETS_DRIVER_ARGS="--verbose --output-type \"yaml\""
+    # shellcheck disable=SC2090
+    export HELM_SECRETS_DRIVER_ARGS
+
+    run helm secrets dec "${FILE}"
+    assert_success
+    assert_output --partial "Data key recovered successfully"
+    assert_file_exist "${FILE}.dec"
+    assert_file_contains "${FILE}.dec" 'global_secret: '
+    assert_file_contains "${FILE}.dec" 'global_bar'
+}
diff --git a/tests/unit/lint.bats b/tests/unit/lint.bats
index 51424a66..83129dcf 100755
--- a/tests/unit/lint.bats
+++ b/tests/unit/lint.bats
@@ -214,3 +214,131 @@ load '../bats/extensions/bats-file/load'
     assert_output --partial "[helm-secrets] Removed: ${FILE}.dec"
     assert_file_not_exist "${FILE}.dec"
 }
+
+@test "lint: helm lint w/ chart + --driver-args (simple)" {
+    if ! is_driver_sops; then
+        skip
+    fi
+
+    create_chart "${TEST_TEMP_DIR}"
+
+    run helm secrets --driver-args "--verbose" lint "${TEST_TEMP_DIR}/chart" 2>&1
+    assert_success
+    assert_output --partial "1 chart(s) linted, 0 chart(s) failed"
+}
+
+@test "lint: helm lint w/ chart + some-secrets.yaml + --driver-args (simple)" {
+    if ! is_driver_sops; then
+        skip
+    fi
+
+    FILE="${TEST_TEMP_DIR}/values/${HELM_SECRETS_DRIVER}/some-secrets.yaml"
+
+    create_chart "${TEST_TEMP_DIR}"
+
+    run helm secrets --driver-args "--verbose" lint "${TEST_TEMP_DIR}/chart" -f "${FILE}" 2>&1
+    assert_success
+    assert_output --partial "Data key recovered successfully"
+    assert_output --partial "[helm-secrets] Decrypt: ${FILE}"
+    assert_output --partial "1 chart(s) linted, 0 chart(s) failed"
+    assert_output --partial "[helm-secrets] Removed: ${FILE}.dec"
+    assert_file_not_exist "${FILE}.dec"
+}
+
+@test "lint: helm lint w/ chart + some-secrets.yaml + -a (simple)" {
+    if ! is_driver_sops; then
+        skip
+    fi
+
+    FILE="${TEST_TEMP_DIR}/values/${HELM_SECRETS_DRIVER}/some-secrets.yaml"
+
+    create_chart "${TEST_TEMP_DIR}"
+
+    run helm secrets -a "--verbose" lint "${TEST_TEMP_DIR}/chart" -f "${FILE}" 2>&1
+    assert_success
+    assert_output --partial "Data key recovered successfully"
+    assert_output --partial "[helm-secrets] Decrypt: ${FILE}"
+    assert_output --partial "1 chart(s) linted, 0 chart(s) failed"
+    assert_output --partial "[helm-secrets] Removed: ${FILE}.dec"
+    assert_file_not_exist "${FILE}.dec"
+}
+
+@test "lint: helm lint w/ chart + some-secrets.yaml + HELM_SECRETS_DRIVER_ARGS (simple)" {
+    if ! is_driver_sops; then
+        skip
+    fi
+
+    FILE="${TEST_TEMP_DIR}/values/${HELM_SECRETS_DRIVER}/some-secrets.yaml"
+
+    create_chart "${TEST_TEMP_DIR}"
+
+    HELM_SECRETS_DRIVER_ARGS=--verbose
+    export HELM_SECRETS_DRIVER_ARGS
+
+    run helm secrets lint "${TEST_TEMP_DIR}/chart" -f "${FILE}" 2>&1
+    assert_success
+    assert_output --partial "Data key recovered successfully"
+    assert_output --partial "[helm-secrets] Decrypt: ${FILE}"
+    assert_output --partial "1 chart(s) linted, 0 chart(s) failed"
+    assert_output --partial "[helm-secrets] Removed: ${FILE}.dec"
+    assert_file_not_exist "${FILE}.dec"
+}
+
+@test "lint: helm lint w/ chart + some-secrets.yaml + --driver-args (complex)" {
+    if ! is_driver_sops; then
+        skip
+    fi
+
+    FILE="${TEST_TEMP_DIR}/values/${HELM_SECRETS_DRIVER}/some-secrets.yaml"
+
+    create_chart "${TEST_TEMP_DIR}"
+
+    run helm secrets --driver-args "--verbose --output-type \"yaml\"" lint "${TEST_TEMP_DIR}/chart" -f "${FILE}" 2>&1
+    assert_success
+    assert_output --partial "Data key recovered successfully"
+    assert_output --partial "[helm-secrets] Decrypt: ${FILE}"
+    assert_output --partial "1 chart(s) linted, 0 chart(s) failed"
+    assert_output --partial "[helm-secrets] Removed: ${FILE}.dec"
+    assert_file_not_exist "${FILE}.dec"
+}
+
+@test "lint: helm lint w/ chart + some-secrets.yaml + -a (complex)" {
+    if ! is_driver_sops; then
+        skip
+    fi
+
+    FILE="${TEST_TEMP_DIR}/values/${HELM_SECRETS_DRIVER}/some-secrets.yaml"
+
+    create_chart "${TEST_TEMP_DIR}"
+
+    run helm secrets -a "--verbose --output-type \"yaml\"" lint "${TEST_TEMP_DIR}/chart" -f "${FILE}" 2>&1
+    assert_success
+    assert_output --partial "Data key recovered successfully"
+    assert_output --partial "[helm-secrets] Decrypt: ${FILE}"
+    assert_output --partial "1 chart(s) linted, 0 chart(s) failed"
+    assert_output --partial "[helm-secrets] Removed: ${FILE}.dec"
+    assert_file_not_exist "${FILE}.dec"
+}
+
+@test "lint: helm lint w/ chart + some-secrets.yaml + HELM_SECRETS_DRIVER_ARGS (complex)" {
+    if ! is_driver_sops; then
+        skip
+    fi
+
+    FILE="${TEST_TEMP_DIR}/values/${HELM_SECRETS_DRIVER}/some-secrets.yaml"
+
+    create_chart "${TEST_TEMP_DIR}"
+
+    # shellcheck disable=SC2089
+    HELM_SECRETS_DRIVER_ARGS="--verbose --output-type \"yaml\""
+    # shellcheck disable=SC2090
+    export HELM_SECRETS_DRIVER_ARGS
+
+    run helm secrets lint "${TEST_TEMP_DIR}/chart" -f "${FILE}" 2>&1
+    assert_success
+    assert_output --partial "Data key recovered successfully"
+    assert_output --partial "[helm-secrets] Decrypt: ${FILE}"
+    assert_output --partial "1 chart(s) linted, 0 chart(s) failed"
+    assert_output --partial "[helm-secrets] Removed: ${FILE}.dec"
+    assert_file_not_exist "${FILE}.dec"
+}
diff --git a/tests/unit/template.bats b/tests/unit/template.bats
index b5ae8f71..8fcb540b 100755
--- a/tests/unit/template.bats
+++ b/tests/unit/template.bats
@@ -352,3 +352,131 @@ load '../bats/extensions/bats-file/load'
     assert_success
     assert_output --partial "port: 81"
 }
+
+@test "template: helm template w/ chart + --driver-args (simple)" {
+    if ! is_driver_sops; then
+        skip
+    fi
+
+    create_chart "${TEST_TEMP_DIR}"
+
+    run helm secrets --driver-args "--verbose" template "${TEST_TEMP_DIR}/chart" 2>&1
+    assert_success
+    assert_output --partial 'RELEASE-NAME-'
+}
+
+@test "template: helm template w/ chart + some-secrets.yaml + --driver-args (simple)" {
+    if ! is_driver_sops; then
+        skip
+    fi
+
+    FILE="${TEST_TEMP_DIR}/values/${HELM_SECRETS_DRIVER}/some-secrets.yaml"
+
+    create_chart "${TEST_TEMP_DIR}"
+
+    run helm secrets --driver-args "--verbose" template "${TEST_TEMP_DIR}/chart" -f "${FILE}" 2>&1
+    assert_success
+    assert_output --partial "Data key recovered successfully"
+    assert_output --partial "[helm-secrets] Decrypt: ${FILE}"
+    assert_output --partial "port: 83"
+    assert_output --partial "[helm-secrets] Removed: ${FILE}.dec"
+    assert_file_not_exist "${FILE}.dec"
+}
+
+@test "template: helm template w/ chart + some-secrets.yaml + -a (simple)" {
+    if ! is_driver_sops; then
+        skip
+    fi
+
+    FILE="${TEST_TEMP_DIR}/values/${HELM_SECRETS_DRIVER}/some-secrets.yaml"
+
+    create_chart "${TEST_TEMP_DIR}"
+
+    run helm secrets -a "--verbose" template "${TEST_TEMP_DIR}/chart" -f "${FILE}" 2>&1
+    assert_success
+    assert_output --partial "Data key recovered successfully"
+    assert_output --partial "[helm-secrets] Decrypt: ${FILE}"
+    assert_output --partial "port: 83"
+    assert_output --partial "[helm-secrets] Removed: ${FILE}.dec"
+    assert_file_not_exist "${FILE}.dec"
+}
+
+@test "template: helm template w/ chart + some-secrets.yaml + HELM_SECRETS_DRIVER_ARGS (simple)" {
+    if ! is_driver_sops; then
+        skip
+    fi
+
+    FILE="${TEST_TEMP_DIR}/values/${HELM_SECRETS_DRIVER}/some-secrets.yaml"
+
+    create_chart "${TEST_TEMP_DIR}"
+
+    HELM_SECRETS_DRIVER_ARGS=--verbose
+    export HELM_SECRETS_DRIVER_ARGS
+
+    run helm secrets template "${TEST_TEMP_DIR}/chart" -f "${FILE}" 2>&1
+    assert_success
+    assert_output --partial "Data key recovered successfully"
+    assert_output --partial "[helm-secrets] Decrypt: ${FILE}"
+    assert_output --partial "port: 83"
+    assert_output --partial "[helm-secrets] Removed: ${FILE}.dec"
+    assert_file_not_exist "${FILE}.dec"
+}
+
+@test "template: helm template w/ chart + some-secrets.yaml + --driver-args (complex)" {
+    if ! is_driver_sops; then
+        skip
+    fi
+
+    FILE="${TEST_TEMP_DIR}/values/${HELM_SECRETS_DRIVER}/some-secrets.yaml"
+
+    create_chart "${TEST_TEMP_DIR}"
+
+    run helm secrets --driver-args "--verbose --output-type \"yaml\"" template "${TEST_TEMP_DIR}/chart" -f "${FILE}" 2>&1
+    assert_success
+    assert_output --partial "Data key recovered successfully"
+    assert_output --partial "[helm-secrets] Decrypt: ${FILE}"
+    assert_output --partial "port: 83"
+    assert_output --partial "[helm-secrets] Removed: ${FILE}.dec"
+    assert_file_not_exist "${FILE}.dec"
+}
+
+@test "template: helm template w/ chart + some-secrets.yaml + -a (complex)" {
+    if ! is_driver_sops; then
+        skip
+    fi
+
+    FILE="${TEST_TEMP_DIR}/values/${HELM_SECRETS_DRIVER}/some-secrets.yaml"
+
+    create_chart "${TEST_TEMP_DIR}"
+
+    run helm secrets -a "--verbose --output-type \"yaml\"" template "${TEST_TEMP_DIR}/chart" -f "${FILE}" 2>&1
+    assert_success
+    assert_output --partial "Data key recovered successfully"
+    assert_output --partial "[helm-secrets] Decrypt: ${FILE}"
+    assert_output --partial "port: 83"
+    assert_output --partial "[helm-secrets] Removed: ${FILE}.dec"
+    assert_file_not_exist "${FILE}.dec"
+}
+
+@test "template: helm template w/ chart + some-secrets.yaml + HELM_SECRETS_DRIVER_ARGS (complex)" {
+    if ! is_driver_sops; then
+        skip
+    fi
+
+    FILE="${TEST_TEMP_DIR}/values/${HELM_SECRETS_DRIVER}/some-secrets.yaml"
+
+    create_chart "${TEST_TEMP_DIR}"
+
+    # shellcheck disable=SC2089
+    HELM_SECRETS_DRIVER_ARGS="--verbose --output-type \"yaml\""
+    # shellcheck disable=SC2090
+    export HELM_SECRETS_DRIVER_ARGS
+
+    run helm secrets template "${TEST_TEMP_DIR}/chart" -f "${FILE}" 2>&1
+    assert_success
+    assert_output --partial "Data key recovered successfully"
+    assert_output --partial "[helm-secrets] Decrypt: ${FILE}"
+    assert_output --partial "port: 83"
+    assert_output --partial "[helm-secrets] Removed: ${FILE}.dec"
+    assert_file_not_exist "${FILE}.dec"
+}
diff --git a/tests/unit/view.bats b/tests/unit/view.bats
index d1c88496..bdc65bb0 100755
--- a/tests/unit/view.bats
+++ b/tests/unit/view.bats
@@ -62,3 +62,95 @@ load '../bats/extensions/bats-file/load'
     assert_output --partial 'global_secret: '
     assert_output --partial 'global_bar'
 }
+
+@test "view: secrets.yaml + --driver-args (simple)" {
+    if ! is_driver_sops; then
+        skip
+    fi
+
+    FILE="${TEST_TEMP_DIR}/values/${HELM_SECRETS_DRIVER}/secrets.yaml"
+
+    run helm secrets --driver-args "--verbose" view "${FILE}"
+    assert_success
+    assert_output --partial "Data key recovered successfully"
+    assert_output --partial 'global_secret: '
+    assert_output --partial 'global_bar'
+}
+
+@test "view: secrets.yaml + -a (simple)" {
+    if ! is_driver_sops; then
+        skip
+    fi
+
+    FILE="${TEST_TEMP_DIR}/values/${HELM_SECRETS_DRIVER}/secrets.yaml"
+
+    run helm secrets -a "--verbose" view "${FILE}"
+    assert_success
+    assert_output --partial "Data key recovered successfully"
+    assert_output --partial 'global_secret: '
+    assert_output --partial 'global_bar'
+}
+
+@test "view: secrets.yaml + HELM_SECRETS_DRIVER_ARGS (simple)" {
+    if ! is_driver_sops; then
+        skip
+    fi
+
+    FILE="${TEST_TEMP_DIR}/values/${HELM_SECRETS_DRIVER}/secrets.yaml"
+
+    HELM_SECRETS_DRIVER_ARGS=--verbose
+    export HELM_SECRETS_DRIVER_ARGS
+
+    run helm secrets view "${FILE}"
+    assert_success
+    assert_output --partial "Data key recovered successfully"
+    assert_output --partial 'global_secret: '
+    assert_output --partial 'global_bar'
+}
+
+@test "view: secrets.yaml + --driver-args (complex)" {
+    if ! is_driver_sops; then
+        skip
+    fi
+
+    FILE="${TEST_TEMP_DIR}/values/${HELM_SECRETS_DRIVER}/secrets.yaml"
+
+    run helm secrets --driver-args "--verbose --output-type \"yaml\"" view "${FILE}"
+    assert_success
+    assert_output --partial "Data key recovered successfully"
+    assert_output --partial 'global_secret: '
+    assert_output --partial 'global_bar'
+}
+
+@test "view: secrets.yaml + -a (complex)" {
+    if ! is_driver_sops; then
+        skip
+    fi
+
+    FILE="${TEST_TEMP_DIR}/values/${HELM_SECRETS_DRIVER}/secrets.yaml"
+
+    run helm secrets -a "--verbose --output-type \"yaml\"" view "${FILE}"
+    assert_success
+    assert_output --partial "Data key recovered successfully"
+    assert_output --partial 'global_secret: '
+    assert_output --partial 'global_bar'
+}
+
+@test "view: secrets.yaml + HELM_SECRETS_DRIVER_ARGS (complex)" {
+    if ! is_driver_sops; then
+        skip
+    fi
+
+    FILE="${TEST_TEMP_DIR}/values/${HELM_SECRETS_DRIVER}/secrets.yaml"
+
+    # shellcheck disable=SC2089
+    HELM_SECRETS_DRIVER_ARGS="--verbose --output-type \"yaml\""
+    # shellcheck disable=SC2090
+    export HELM_SECRETS_DRIVER_ARGS
+
+    run helm secrets view "${FILE}"
+    assert_success
+    assert_output --partial "Data key recovered successfully"
+    assert_output --partial 'global_secret: '
+    assert_output --partial 'global_bar'
+}